Saturday, December 29, 2007

Will you be the next person arrested after a criminal borrows your identity?

With new Social Security verification laws on the horizon, up to 20 million illegal aliens are probably will have to come up with a legitimate identity in order to remain employed.

Up until now, anyone has been able to make up a number and pass it off with false identification. DHS (Department of Homeland Security) was supposed to begin going after businesses that employed people with "no match social security numbers" in September, but a law suit has temporarily blocked them from implementing the process.

Interestingly enough, one of the arguments is that Social Security records aren't accurate enough to ensure mistakes won't be made. This is probably a "no brainer" defense with all the fraud that exists with social security numbers.

Given that a lot of illegal immigrants look Hispanic, a lot of them will probably seek out legitimate identities of U.S. citizens with Hispanic surnames.

Hidden within the camoflauge that illegal immigration creates is a lot of criminal activity. When another person's identity is used to commit a crime, there is a potential that they are going to face more than financial problems after becoming a victim.

Here is a scary story -- possibly a premonition of things to come -- of a senior U.S. citizen, who obviously had his identity stolen by a criminal. The story also reveal why relying on social security numbers to identify people might lead to mistakes being made.

Eloisa Ruano Gonzalez of the Yakima Herald-Republic wrote:

It seemed like a bad dream when 72-year-old retiree Rafael "Ralph" Franco woke up to a loud pounding on his front door, opened it, and found four federal agents waiting to seize him.

The longtime Yakima resident was arrested about 6 a.m. on Nov. 28 at his South Second Street apartment. Immigration officers believed that Franco, a U.S. citizen, was an undocumented immigrant convicted of several alcohol- and weapon-related crimes.

Of course, Hispanic identities aren't the only ones used by criminals. In fact, there are more and more reports of innocent people being charged with crimes after a criminal assumes their identity, commits crimes and disappears into the mist after making bail or being released because the jail is full.

The issue of people wrongfully getting arrested because they are suspected of illegal immigration is probably only one small part of the overall problem.

Stealing personal and financial information and putting it on counterfeit documents has become an organized activity. I was recently in the Mission District of the sanctuary city of San Francisco and full sets were being offered, along with a variety of drugs for as little as $200.00. A full set is normally a drivers license, Social Security and green card.

Please note, I've personally seen this activity in other cities besides San Francisco. It's pretty much out in the open and little to nothing seems to be done about it.

Suad Leija -- the stepdaughter of the "Jefe" of an organized counterfeiting cartel --recently provided evidence to the government that counterfeiting documents is an extremely organized enterprise, which operates across the entire United States.

One of the more ironic things Suad was able to show the government was proof of her Uncle serving a prison sentence in Texas under an assumed name.

There is also considerable evidence that hackers have already stolen millions (billions?) of people's information and sell it pretty openly in anonymous Internet venues.

Put these two organized activities together and they will likely easily defeat any legislation requiring Social Security numbers to match.

I started this post with an observation about Hispanic identities being targeted, but the truth of the matter is that the 20 million or so illegal immigrants seeking legitimate identities is only one small part of a bigger problem. Even if the problem were simply related to illegal immigration -- people of Hispanic origin aren't the only ones crossing our borders illegally.

Figuring out exactly what country an illegal immigrant came from is difficult. Most of them aren't likely to reveal very many personal details. I was able to find a rather outdated study from DHS.gov that reveal some old statistics on the matter:

In October 1996, 15 countries were each the source of 40,000 or more undocumented immigrants (See Table 1). The top five countries are geographically close to the United States--Mexico, El Salvador, Guatemala, Canada, and Haiti. Of the top 15 countries, only the Philippines, Poland, and Pakistan are outside the Western Hemisphere. The estimated undocumented population from Poland has declined by more than 25 percent, from 95,000 to 70,000, since 1988, possibly reflecting changed conditions in that country over the last several years.
Sara Carter of the Washington Times did an article in August about a report she saw from the DEA (Drug Enforcement Administration) that people of Middle Eastern/South Asian descent were posing as Hispanics. The article alleged that a partnership was being formed by something they have in common, or trafficking narcotics.

Even with NATO having boots on the ground in Afghanistan, opium production is at an all time high. Most of this is allegedly being bought by the Taliban, who now seem to operate pretty freely from the tribal areas in Pakistan.

Criminals trafficking narcotics aren't the only ones using false identities. In fact, more and more, the use of false (other people's) identities is being used to facilitate all kinds of criminal activity.

Identity theft may very become the great facilitator (enabler) of more and more crime. If criminals are able to get away with using someone else's identity, we are going to see a lot of more people victimized.

As long as we continue to consider identity theft a "low priority issue," it will continue to grow and multiply like a cancer.

The bottom line is that until we start addressing the factors that make enable stealing and using information too easy, we aren't going to fix the problem.

Doing this is going to take the cooperation of everyone from the average citizen to executive types in major corporations and our leaders in government.

Yakima Herald-Republic story, here.

Thursday, December 27, 2007

Symantec awarded $21 million award against Chinese Software Pirates

On Christmas Eve, Symantec announced a legal victory against Chinese pirates selling their cloned software at super cheap prices.

Please note, I stole the super cheap description from Symantec's video called, The 12 days of Christmas Spam." The super cheap tag can either refer to price, or the quality of counterfeit software (personal thought).

From the press release:

Symantec Corp. (NASDAQ: SYMC) today announced that it was awarded $21 million in damages against a large network of distributors selling counterfeit Symantec software.

The judgments were handed down by the United States District Court for the Central District of California in Los Angeles, CA in favor of Symantec against ANYI, SILI Inc., Mark Ma, Mike Lee, John Zhang, Yee Sha, and related defendants.

"Our customers are the real winners as a result of this case," said Scott Minden, director, Symantec Legal department. "A judgment like this is a crippling blow against these particular syndicates and will drive them even further underground, making it more difficult for them to sell directly to unsuspecting users. It complicates their ability to operate behind the guise as legitimate businesses."
The investigation conducted by Symantec in collusion with the FBI and Chinese authorities also led to some criminal charges being filed in China.

It appears that this particular case involved pirated software being made to appear as if it was the real deal. According to industry experts, the counterfeiting problem has increased 10,000 percent in recent history.

The software industry alone estimates it loses $40 billion a year because of pirated software. I wonder how many jobs this equates to?

Pirated (super cheap software) is also hawked via the millions (billions?) of spam e-mails attacking our in boxes in record amounts. Recently, Symantec issued a report based on the spam data they monitor revealing that over the current holiday season 71percent of all e-mail sent is spam.

Counterfeit software also can contain malware (malicious software), which can lead to your system becoming a zombie (part of a botnet to facilitate more spam) and even steal your personal and financial details. These details are then used to steal money either from you directly, or to steal money from financial institutions.

I'm sometimes amazed how a lot of current criminal activity ties in together via the digital world. All the average person needs to do is to watch all the spam messages they get and consider all the different schemes that are behind them. The schemes are nothing new, but the digital age has enabled criminals to reach out to more people than ever before.

Either this is occurring naturally, or someone pretty organized people are running operations along the lines of major corporations?

Besides the more personal dangers of buying pirated software, there is a lot of evidence the activity is making a lot of money for organized crime, rogue governments and terrorist groups, alike.

Press release from Symantec, here.

Tuesday, December 25, 2007

Storm Worm bot-herders use scantily clad women in Santa attire to recruit zombies!

Here is a warning from Dancho Danchev about a site that might leave your computer with a worm.

The site invites a person to watch a bunch of scantily clad women in Santa attire for "free."

From the Mindstreams of Information blog:

Stormy Wormy is back in the game on the top of Xmas eve, enticing the end users with a special Xmas strip show for those who dare to download the binary. The domain merrychristmasdude.com is logically in a fast-flux, here are some more details :

Administrative, Technical Contact
Contact Name: John A Cortas
Contact Organization: John A Cortas
Contact Street1: Green st 322, fl.10
Contact City: Toronto
Contact Postal Code: 12345
Contact Country: CA
Contact Phone: +1 435 2312633
Contact E-mail: cortas2008 @ yahoo.com

In case you are less than technically astute (a lot of us are) the storm worm has been around for awhile. Wikipedia offers a good explanation of how it will trash a Windows system, here.

Downloading it normally leads to your computer becoming a spam spewing zombie controlled by a bot-herder. Of course, becoming infected also poses certain information theft risks, also.

Full post from Dancho, here.


(Screen shot courtesy of the Mindstreams of Information blog)

Update:

Found some more information on this on the SANS Internet Storm Center, which can be seen, here.

And apparently some splogs have been set up on blogspot to support this current storm on the Internet:

If you google for merrychristmasdude.com you'll see a number of spam blogs set up with that domain in their body and directing traffic to siski.cn (take a look for that in your proxy logs while you're at it.)

Visiting skiski.cn will redirect you over to shockbabetv.com and attempt to install a fake video codec, which itself appears to be a downloader to deliver more coal to your stocking.
IT also appears that the hackers behind this are moving on to New Years lures and a new domain.

Shortly before 1600 GMT 25-DEC-2007 we got a report indicating that the Storm Botnet was sending out another wave of attempts to enlist new members. This version is a New Years-themed e-card directing victims to "uhave post card.com." (spaces inserted to break the URL) NOTE: Please do not blindly go to this URL -- there is malware behind it.

Also reported SANS Internet Report Center, here.

Sunday, December 23, 2007

Could buying that knock-off item fund the next terrorist attack?

While this story is from a British perspective, it reveals how the trade in counterfeit (knock-off) merchandise is funding some pretty nasty characters beyond the borders of the British Isles.

Richard Elias recently revealed in Scotland on Sunday:

The sale of fake CDs, DVDs, clothing and perfumes in Glasgow and other British cities is helping to raise money for one of the world's most-notorious terror outfits – the group held responsible for the slaughter of US journalist Daniel Pearl in 2002.

MI5 is now targeting British-based supporters of Jaish-e-Mohammed (JeM), a pro-Kashmiri group dedicated to gaining the disputed territory its independence. Its aims include the "destruction" of the United States and India.

This isn't the first time the words terrorist organization and counterfeit merchandise have been used in the same sentence. And in reality, the problem goes far beyond the borders of the United Kingdom.

A good video about the counterfeit problem by KRQE in New Mexico is posted on YouTube, which can be seen, here.

The video references a report by the IACC (Internation Anticounterfeiting Coalition). The IAAC stated in a white paper that:

Low risk of prosecution and enormous profit potential have made criminal counterfeiting an attractive enterprise for organized crime groups. Congress recognized organize crime’s increasing role in the theft of intellectual property when it made trademark counterfeiting and copyright piracy predicate acts under the federal RICO statute (see 18 U.S.C. § 1961). Recently, ties have been established between counterfeiting and terrorist organizations who use the sale of fake goods to raise and launder money.

Counterfeiting is becoming a worldwide problem that poses a threat to the economy and public safety. Unfortunately, a lot of people view it as a victimless crime and continue to support it by purchasing knock-off merchandise.

If you take the time to read the IAAC White Paper, it also reveals that a lot of countries that we do business with in the global economy are some of the biggest culprits.

And the biggest offender seems to be China!

This should be no surprise considering the amount of unsafe product being found at your local store coming from that country.

While there are obviously more players in all of this than terrorist organizations, supporting any of them with our business isn't in the public's best interests.

IAAC White Paper, here.

Scotland on Sunday story, here.

Are Internet Check Scam Artists staging a December Surge?


(Picture of counterfeit financial instruments recently intercepted in the mail by an International law enforcement task force)

In the past several days, I've noticed a surge in counterfeit check alerts from the FDIC (Federal Deposit Insurance Corporation). From December 19th to the 21st, the FDIC issued 26 alerts from various financial institutions throughout the United States reporting counterfeit activity using their information.

These checks are used in all the different varieties of overpayment scams. The basic MO (method of operation) in these scams is to trick someone into negotiating a bogus financial instrument and sending the money back to the person behind the scam. The victim is offered a small part of the money for doing this.

Of course, they are held liable for all of it when the item is discovered to be fraudulent.

Some of the known varieties of the overpayment scams are the lottery, auction, secret shopper, romance and work-at-home (job) scam(s). Please note you can search any of these "scam" terms at the top of this page for more information.

Spam e-mail is normally the vehicle in which these scams are presented, however they show up in more traditional print venues (including junk mail) from time to time, also.

One thing to bear in mind is that counterfeit checks (cheques) often appear to be legitimate in verification systems. The reason for this is simple, they use legitimate account numbers.

Victims have even asked employees at their financial institution of choice if the instrument was legitimate. Sadly, the items are often so good that the person is told that they are real. A financial institution employee verifying an item offers you no guarantee that the item is good. The person passing the instrument is the one who is liable for it.

Another tricky thing is that many financial institutions will also give their customers credit for these items in their accounts. This often gives the victim a false sense of security and causes them to send the money back to the scammer before realizing what is going on.

Federal rules dictate that banks can only put holds for a specified period of time depending on what type of check it is. The people behind the scams know about this and take advantage of it.

Although the money can be sent in a lot of different ways, most scammers prefer the use of Western Union, or MoneyGram wire transfer services. The reason for this is once the money is picked up (often within minutes), there is no recourse for the person who sent it.

Besides counterfeit checks, we've seen other instruments counterfeited on an industrial scale and sent to unsuspecting people, also. The known items in circulation are have included Postal Money Orders, Travelers Express (MoneyGram) Money Orders, American Express Gift Cheques and Visa Travelers Cheques.

The end result of these scams is that the person negotiating the item will be held financially liable. People are also getting arrested in certain circumstances for passing these items, also.

The National Consumers League recently set up a site (fakechecks.org), which is a great reference on Internet scams involving checks (complete with visual presentations), here.

Here is a post, I wrote with more information on how to verify one of these items:

Tools to verify those too good to be true financial instruments you got in the mail

Please note that if the deal you are being presented is too good to be true, or you are being asked to wire money it probably isn't worth going to the effort of trying to verify the item.

Also note that these scams have become so sophisticated that there is no guarantee that any amount of verification can guarantee the item is legitimate!

Friday, December 21, 2007

$500 reward for eBay pirates selling super cheap (counterfeit) software

The Software & Information Industry Association is willing to pay up to $500.00 to anyone, who inadvertantly buys pirated software off an auction site.

Software piracy is a huge problem. The International Anticounterfeiting Coalition estimates that counterfeiting is a $600 billion a year problem. They also estimate that the problem has grown 10,000 percent in the past two decades.

More specific to the counterfeit software part of the all of this was revealed in a Business Software Alliance (BSA) and IDA white paper released in May estimating the problem at $40 billion a year.

Pirated software might not work as well as it is supposed to and it might even contain malicious software, which is often referred to as crimeware. The person, who puts this on their system is likely to have all the personal and financial details stolen and become an identity theft statistic.

Microsoft has a site to help consumers identify counterfeit software. Earlier this month, they filed 52 lawsuits and referred 22 cases for criminal investigation based on an investigation -- jointly conducted with the FBI and Chineses authorities -- into a counterfeiting syndicate based out of China.

Microsoft has also worked with eBay and information is also available on their site on how to avoid buying counterfeit software, here.

A lot of pirated software is sold on auction sites. The Software & Information Industry Association (SIIA) has launched a campaign to go after this problem on auction sites because they believe a lot of auction consumers are being defrauded when pirated software is sold as the real McCoy.

From the SIIA press release on this campaign:

“The sale of pirated software doesn’t only hurt the software industry,” said Keith Kupferschmid, Senior VP Intellectual Property Policy & Enforcement. “It also hurts consumers. Consumers feel “taken” when they buy software, only to find out when it arrives that the software is a fake -- they did not get an instruction manual or can’t get support from the software company. The Don’t Get Mad, Get Even program is a way for unsuspecting buyers to get even with auction sellers who rip them off by selling them counterfeit software.”

SIIA press release on reward, here.

Counterfeiting is a huge problem which hurts economies (takes jobs) and funds organized criminal and some say (terrorist?) activity. It also puts the person, who inadvertantly buys it at a fair amount of personal risk. Everyone can help fight it by reporting it to the SIIA, or the other links I've included in this post.

Despite what some people believe, counterfeiting is far from a victimless crime!

SIIA home page, here.

BSA and IDA white paper on counterfeit software, here.

Wednesday, December 19, 2007

MyTruston points out the two most important TIPS to protect your identity this season!

Tom Fragala at MyTruston wrote an interesting post about the two most important things to do during the season to avoid having a grinch (identity thief) ruin it for you.

From the MyTruston blog:

There are a lot of lists about identity theft flying around this time of year. 12 tips of Christmas, top 10 ways to protect yourself from identity theft...that kind of thing.

Well, to save you time and keep things simple (less is better), I am going to boil it all down to two tips that most of you probably already do. But please, make sure you are diligent in keeping up on these.
Can you guess what they are? In case you aren’t sure, I’ve provided a link so you can see if you were right.

MyTruston, the first identity service that doesn’t require that you compromise your personal information is growing, also. Yesterday, they announced a partnership with Trend Micro Systems, a leading provider of security software.

MyTruston is offering their identity theft service on a free 90 day trial if you purchase a gift card from Trend Micro Systems. The gift card also offers a nice discount on their much talked about software.

The nice thing about the free trial period is that you don’t have to worry about forgetting to cancel the deal and having your credit card “crammed” with recurring charges.

I'm frequently amazed at who some of the companies are that employ this marketing practice (cramming).

Another nice thing about the MyTruston service is that the prevention part of the service has always been free and you only pay for the recovery services.

If you were to shop around, I think you would find it is the best value in the growing field of paid identity theft protection services.

And when spending your hard earned money, it always pays to check around.

Friday, December 14, 2007

Symantec reveals how the spammers are trying to steal Christmas

Kelly Conley announced the Christmas edition of Symantec's spam report on the company blog:

Here we are the end of another year. As 2007 rolls to a close the December State of Spam Report reviews this past month’s key trends and reflects on some of the year’s most notable spam events and trends.
The report notes that Bill Gates' prediction in 2004 that spam would be eradicated has proven not only to be wrong, but that the amount of spam circulating on the Internet has exceeded everyone's expectations (nightmares?).

This month, three out of every four e-mails sent is spam!

Spammers are even using MP3s, videos, and Google's alerts/searches to spread their seedy marketing ventures to Internet users.

Here are some of the highlights of the end-of-year report:

• Penny stocks use Thanksgiving holiday captions in subject line – spammers using common personal Thanksgiving-related words in the subject of emails

• Replica products a favorite for spammers this holiday season – replica gear has always been a spammer favorite. Spammers are marketing their wares using seasonal words in the subject lines of their mailings

• Spam begins to snowball – spammers collecting email addresses by using a funny .gif that shows a snowball hurtling at you through your computer

• Christmas freebie anyone? – spammers taking advantage of the season to market "free" gift cards for well known companies

• Seasonal lotto scams - in a scam targeted at UK end users, spammers have updated a lottery spam email for a Christmas Bonanza special

The current interest in celebrities like Britney Spears, Lindsay Lohan and the Osmonds were used as lures to get people to open spam e-mails hawking "questionably safe" drugs.

Spammers use whatever is trendy, popular or in the news to trick people into clicking on them. Here is one of the sicker examples of this seen recently:

An attack this month preyed on the public interest in the story of the missing British child, Madeleine McCann. The email contained a link to http://madeleine2007.notlong.com/, which redirected to http://internetwonderful.com/madeleine. The second site is designed to look similar to the official McCann family site, www.findmadeleine.com, however, it actually is set up to distribute a virus. The site also contains an unauthorized use of the Symantec logo and a number of Google ads for anti-virus products.

It should be noted that although the spam email also contains a link to the legitimate findmadeliene.com site, there is no connection between the spammers and the genuine site.

The report concludes it's findings with recognition of anti-spam efforts during the year, such as the FBI's Operation Bot Roast, the SEC's Operation Spamalot, ISP's sharing more information and security vendors employing new spam filter technologies.

We need to remember that spam is the vehicle used to spread 99.9 percent of the questionable marketing and scams on the Internet. Clicking on a spam e-mail can cause a person to become victim of anything from a financial scam to using a unsafe product that is a threat to their personal safety.

These reports serve a purpose, which is to educate the average person on what to watch out for and not click on a spam e-mail in the first place. Since it's Christmas and a lot of us are thinking about the young people in our lives, perhaps this is a good time to educate them on the growing problem of spam on the Internet!

I meet a few older people from time to time that might benefit from the education process, also.

Kelley Conley's blog post announcing the December report, here.

Symantec's December (year end) report on the state of spam, here.

On a lighter note, here is the YouTube video on the 12 days of Christmas Spam:

Thursday, December 13, 2007

Counterfeit Visa Travelers Cheques in circulation!

Counterfeit financial instruments are circulated in a variety of Internet scams. The ploy is always to get someone to cash them and then wire the money back to the person behind the scam.

In the past couple of weeks, readers and other sources have brought to my attention that counterfeit Visa Travelers Cheques are in circulation.

Visa has provided resources to identify these instruments.

You can call them at 1-800-227-6811 to verify an item. This can also be done on-line, here.Visa also has a good interactive tool to identify the security features of the Visa Travelers Cheque, here.

The trick is to ALWAYS verify them before you negotiate them using your good name!

Some of the scams being used to trick people into cashing these items are known as work-at-home (job) scams, secret shopper, romance, lottery and auction scams.

A collective name for all of these scams that ask you to cash an item and send the money back to the scammer is called the advance fee (419) scam.

A lot of the sites dedicated to fighting scams are also seeing an alarming trend, which is that people are getting arrested for attempting to cash these items.

I recently had a conversation with the fine folks over at FraudAid about this trend.

A great (new) resource about all the counterfeit paper being circulated is FakeChecks.org.

People, who fall for these scams do so because they are lured with something that is too good to be true. The old saying is that if it is "too good to be true, it is NOT!"

Here are some other counterfeit instruments, I written about that are still in circulation:

Counterfeit MoneyGram Money Orders being passed via Internet Scams

Counterfeit Cashier's Checks Fuel Internet Crime

American Express Gift Cheques Being Circulated in Internet Scams

Counterfeit Postal Money Orders Showing Up in IScams Again

Here is a picture of counterfeit Visa Travelers Cheques that were sent to someone about a week ago. They were sent from the United Kingdom, however the scammer wanted the money wired to Nigeria.


(Photograph courtesy of Raleigh)

Tuesday, December 11, 2007

Human beings are the reason for most security breaches!

If you think phishing is merely a financial crime, think again. Eleven employees at a nuclear research facility fell for a phishy e-mail, which appears to have been an attempt to steal information.

The New York Times reported:

A cyber attack reported last week by one of the federal government’s nuclear weapons laboratories may have originated in China, according to a confidential memorandum distributed Wednesday to public and private security officials by the Department of Homeland Security.

Although the article suggests China may behind this attempt, the article suggests they have plausible deniability:

Security researchers said the memorandum, which was obtained by The New York Times from an executive at a private company, included a list of Web and Internet addresses that were linked to locations in China. However, they noted that such links did not prove that the Chinese government or Chinese citizens were involved in the attacks. In the past, intruders have compromised computers in China and then used them to disguise their true location.

I guess it might have been a host of undesirables trying to steal this information. A lot of Internet misfits redirect through China to do their misdeeds on the Internet.

What's scary is that eleven employees at a Nuclear Research Facility clicked on a phisy e-mail and compromised sensitive material.

I recently wrote a post, where an official government audit revealed that 60 percent of IRS employees tested fell for a vishing scheme and gave up sensitive information.

Vishing is stealing information by telephone.

It was recently announced that private investigators are being indicted for vishing infomation in an illegal manner, sometimes referred to as pretexting.

All of these events would suggest that businesses and government organizations have a big opportunity when it comes to raising employee awareness on social engineering schemes that are used to compromise sensitive information.

IT also illustrates that human beings are the common cause for most breaches of security!

New York Times article, here.

Here are the two previous posts on the IRS vishing test and the indictment of private investigators for using social engineering techniques:

IRS audit reveals that the human factor is one the greatest threats to information (computer) security

Private Eyes charged with aggravated identity theft

Monday, December 10, 2007

SIRAS offers guarantee that it will reduce retail crime

The reason SIRAS' product registration and smart return service perked my interest is because it protects people's privacy and is an effective means of reducing losses.

SIRAS tracks an inanimate object (merchandise) instead of a customer's personal information.

Now they are now offering a "guarantee" the technology will add dollars to a organization's bottom line by reducing fraudulent returns.

In their own words from the press release regarding this matter:

Electronic Product Registration, is putting its money where its mouth is with a unique Return On Investment (ROI) Guarantee for any company using SIRAS’s product registration and Smart Return service to manage their product returns and warrantees. The program, designed to eliminate any risk for companies interested in implementing SIRAS’s technology, guarantees that over the course of a year companies will save more money through deflected product returns than it spends in transaction fees.

In case you haven't had to refund any merchandise in a long time, most retailers require you to give them your personal statistics before they approve your return.

This information is all maintained in a database, where it might be exposed to a hacker, or probably more frequently, dishonest employee. Information is worth a lot of money to anyone, who knows where to sell it.

A dishonest Certegy employee recently got caught selling 8.5 million people's information to an undisclosed data-broker. Since the mysterious data-broker still hasn't been identified -- despite being listed as a co-conspirator in court filings -- we really aren't sure where these records went?

Certegy provides check verification services for a lot of merchants.

Personal and financial information is marketed in carder forums (chat rooms) on the Internet. Anonymous payment methods, such as wire transfers, PayPal and eGold add to the problem. They make it relatively easy to buy and sell stolen information.

It also isn't unknown for criminal organizations to plant, or recruit employees to steal information from within an organization.

The press release quotes Peter Junger (SIRAS CEO) as saying, "And in all cases, regardless of ROI, clients retain all of the valuable POS data collected."

This POS data also serves another important purpose. If the merchandise is found in a fencing operation, or on an auction site, it can still be tracked to the point-of-compromise.

This opens up opportunities to recover stolen merchandise and makes it more dangerous for the criminals fencing it.

Mesa Police Department tested these capabilities with SIRAS and FOX News did a story on it, which can be seen, here.

The technology, when deployed properly with a point-of-sale system can also identity fraudulent means of tender used to purchase merchandise.

SIRAS technology can be deployed by a merchant, or at the factory, itself.

They already makes their database available to law enforcement free-of-charge.

With all the identity theft and counterfeit ID available, using SIRAS reduces the possibility that an innocent customer will be wrongfully identified as an "undesirable" in a refund database.

Saying that, who knows how much of the information in these databases is one-hundred percent accurate anymore? With retail crime becoming more and more organized, the possibility exists that it is NOT.

One of the systems targeted in the TJX data-breach was their refund database. The information in this database is probably worth more than simple financial information because it contains the elements necessary to assume a person's identity.

It's relatively easy to shut down a bank account, or credit card number. Once a person's statistics are compromised, they can be at risk of identity theft for a long time.

Data breaches are becoming more expensive. TJX claimed a loss of $118 million in their second quarter earnings. Estimates vary widely on exactly how expensive data-breaches will become, but everyone agrees the cost of them is going up.

SIRAS seems more effective in resolving property crimes because it tracks the property, itself. It also protects customer privacy and protects a merchant from becoming the victim of a data-breach.

I doubt that SIRAS would make this guarantee if they weren't absolutely certain of the results. If they were wrong, I doubt they would be in business very long.

Press release from SIRAS, here.

Saturday, December 08, 2007

FTC tutorial on how to protect sensitive business information

The FTC has released a training tool designed to help businesses protect sensitive information, which might be stolen to commit identity theft or fraud.

After taking a look at it, I found it to be simple, straight forward and effective way for a business to evaluate how well they are protecting information.

From the FTC release on this new tool:

Protecting the personal information of customers, clients, and employees is good business. The Federal Trade Commission has a new online tutorial to alert businesses and other organizations to practical and low- or no-cost ways to keep data secure.

The tutorial, “Protecting Personal Information: A Guide for Business,” at www.ftc.gov/infosecurity, takes a plain-language, interactive approach to the security of sensitive information. Although the specifics depend on the type of company and the kind of information it keeps, the basic principles are the same: any business or office that keeps personal information needs to take stock, scale down, lock it, pitch it, and plan ahead. The tutorial explains each of these principles, and includes checklists of steps to take to improve data security.

The tutorial supplements brochures, slide presentations, and articles on information security already on the Web site and available from the FTC for free. The agency is encouraging businesses and other organizations to share this important information with employees who handle personal information such as Social Security numbers, credit card numbers, financial account numbers, and other sensitive personal information.
Interestingly enough, I just did a post on a new report released by the IT Compliance Policy Group. Their findings were the organizations that suffer the fewest incidents of information theft have a few things in common, which is they keep their programs simple, and pick out the most critical items with a focus on risk. The organizations with the fewest incidents of data theft inspect these critical items more frequently, also.

The FTC tutorial gives some great guidance on how to identify the most critical items that are risk focused in an organization.

Common sense often is the best way to approach ensuring competent security.

Materials can be ordered for presentation purposes by following the link listed in the press release.

FTC press release, here.

A video presentation of this infomation can be seen, here.

Private Eyes charged with aggravated identity theft

This isn't the first time private investigators have been caught using social engineering techniques to steal personal information. The Hewlett Packard case raised caused quite a bit of uproar about this last September.

Here is another case involving private investigators using illegal techniques to data mine information for their clients:

Ten people were indicted by a federal grand jury in Seattle in connection with a scheme to illegally obtain confidential information on more than 12,000 citizens across the country. To obtain confidential tax, medical and employment information, workers at BNT Investigations in Belfair, Washington, would pose as another individual to get government agencies including the IRS, the Social Security Administration, and various state employment security offices to provide confidential information. The year-long investigation dubbed, “Operation Dialing for Dollars,” also revealed that some workers posed as representatives of doctors’ offices to get medical or pharmacy records.
The private investigators used "pretexting," which is a social engineering technique designed to trick people into giving up personal and financial information. Criminals use the same technique to steal people's identities.

In fact, phishing, where an e-mail is sent impersonating a trusted or authority figure with the intent of stealing personal information is a form of "pretexting."

In this case, we might term what these private eyes did as "vishing," which is phishing using the telephone.

It appears that the U.S. Attorney's office agrees that this is little difference in the techniques used by these private eyes and is charging them all with aggravated identity theft.

The ten defendants are charged with Conspiracy and Wire Fraud. Seven of the defendants are charged with Fraudulent Elicitation of Social Security Administration Information. Six of the defendants are charged with Solicitation of Federal Tax Information. All ten defendants are charged with Aggravated Identity Theft. The three Washington defendants are scheduled to appear in U.S. District Court in Tacoma at 2:30 today.

These are the defendants indicted by the grand jury:

EMILIO TORRELLA, 36, Belfair, Washington
BRANDY N. TORRELLA, 27, Belfair, Washington
STEVEN W. BERWICK, 22, Belfair, Washington
VICTORIA J. TADE, 52, San Diego, California
MEGAN OSOSKE, 40, Beaverton, Oregon
DARCI P. TEMPLETON, 55, Houston, Texas
ESAUN G. PINTO, Sr., 33, Brooklyn, New York
PATRICK A. BOMBINO, 58, Brooklyn, New York
ROBERT GRIEVE, 67, Houston, Texas
ZIAD N. SAKHLEH, 26, Houston, Texas

The Torellas, who own BNT investigations, allegedly are the "phishy-investigators" who were selling this illegally obtained information to their peers nationwide.

The private investigators had been hired by attorneys, insurance companies and collection agencies to investigate the backgrounds of opposing parties, witnesses and benefit claimants, and to uncover assets or income. The TORRELLAs promoted their services to the private investigators.

BNT investigations targeted financial institutions and government agencies to get the information they were selling.

This makes me wonder how much the people paying for these services knew and to what extent they might be held liable?

Although, it doesn't appear that more sophisticated spying (identity theft?) techniques were used in this case, in the Hewlett Packard case investigators dropped software (malicious?) on computer systems to monitor the people they were "investigating."

Press release from the Western Washington U.S. Attorney's Office, here.

Friday, December 07, 2007

Has hacking become too easy? Ask the child predator who just got 110 years for doing it!

Here is a hacker, who ended up in a lot of trouble after using malware to blackmail underage girls into creating pornography of themselves. The problem is it was probably a little too easy for him to obtain the tools, he used to pull his "hack" off!

This leads me to be slightly cynical that putting one person behind bars for 110 years is going to solve the overall problem, we are facing with the irresponsible use of technology.

Picked up this up from Sharon Gaudin (Computer World) courtesy of the NY Times:

A North Carolina man last week was sentenced to 110 years in prison after admitting that he and a co-conspirator hacked into computers used by young girls and used illicitly gained data to blackmail them.

Ivory D. Dickerson, 33, a civil engineer, admitted that he conspired with the other person to send emails or instant messages to underage girls as part of a scheme to trick them into opening a file containing the Bifrost trojan horse. The malware would give Dickerson and his co-conspirator control over the victim's computer, and they tried to use hacked information to coerce the girls into creating and then electronically sending them lurid photos of themselves, prosecutors said.

Dickerson used all the normal techniques to monitor his victims, such as keylogging software. He also had a tool, which enabled him to hack into web cameras and record what was going on.

This concerned me from a privacy perspective so I decided to see what would pop-up if I Googled "hacking webcams." To my utter amazement, I found some shocking results, which are pretty scary.

In fact, one site has a tutorial on how to hack webcams, using a Google search string.

In most instances, this can be prevented by password protecting whatever camera system you install.

Please note that criminals could use your cameras against you in a variety of ways that threaten both your privacy and safety.

Going back to the article about our hacker using BiFrost malware, a Sophos rep is quoted as saying:

The Bifrost malware, "is relatively easy to obtain," said Richard Wang, manager of SophosLabs U.S. "It's not something you need to pay for. Since we first saw it in April of 2005, we've seen over 1,200 different versions of this Trojan. The guys who write them are always trying to put up new versions to hide them from anti-virus software."

I'm guessing that Mr. Wang means the malware can be obtained from one of the hacking forums that seem to be out there (pretty easy to access) on the Internet.

So far as Mr. Dickerson, lock him up and throw the key away, preferably on a deserted island. Saying that, here is yet another example that it doesn't take a whole lot of skill to be a hacker nowadays. In fact, it seems to be a little too EASY!

It's a shame that parents now have to become computer security experts to ensure the safety of their children. Maybe the answer is to take a hard look at all the enabling factors we seem to see too much of these days?

ComputerWorld article (courtesy of the NY Times), here.

Fox News has a pretty telling video about the subject of webcam hacking, which can be seen, here.

Thursday, December 06, 2007

Word of mouth is fraud's worst enemy!

FraudAid, a website dedicated to helping fraud victims has a saying, "Silence is fraud's best friend. Word of mouth is fraud's worst enemy. Pass the word!"

In a world, where fraud victims have a hard time getting anyone to even talk to them this saying makes a lot of sense.

FraudAid was conceived by a woman by the name of Annie McGuire, who fell victim to a fraud scheme, herself. Her personal story, which is told in great detail on the site proves that just about ANYONE can become a fraud victim.

In my personal dealings with victims, you would be surprised who has been scammed.

The problem is that most people -- especially those who think they should have known better -- rarely report that they have become a victim of fraud. FraudAid strives to educate all of us that the lack of communication enables fraudsters to victimize people (who if they have been made AWARE) might not be have been taken in by a fraud scheme.

Thus, the reason there seems to be so much fraud and the experts compiling all the statistics disagree on how much fraud exists. After all, "Silence is fraud's best friend."

The FTC just released their estimate of identity theft victims, which has raised a lot of speculation about how accurate their number is.

I have no doubt that the FTC did the best they could, but if fraud isn't reported, it's hard to quantify.

The FraudAid site is a wealth of information for someone, who is trying to seek help after becoming a victim. Of the greatest importance (in my opinion) is how to deal with the authorities.

One page on the site shows the average person how to write a narrative that will get the Police interested in going after your case.

It also goes into great detail on what law enforcement agency specializes in what type of fraud. This can be confusing for someone dealing with being victimized for the first time.

The site also addresses a growing phenomenon, which is how to avoid getting arrested after becoming a victim. With all the auction fraud and stolen financial information being sold wholesale, fraudsters have developed a need to launder the proceeds of their illicit transactions.

The way they do this is by tricking people to do it for them. This is accomplished by hiring them under "false pretenses" to negotiate all their illicit transactions and wire the money to them. This scam is often referred to as a work-at-home, job, or check-cashing scam.

Another variation, known as a reshipping-scam, tricks people into reshipping stolen merchandise.

In reality the victim is taking all the risk for the scammer -- and more and more often -- the rap for them when they get caught. Sadly enough, the end result is almost certain financial ruin and possibly being charged with a host of crimes including, check fraud, money laundering and receiving stolen goods.

Some of detailed information on the different scams that can be found on FraudAid include investment, Nigerian (419), sweetheart/romance, lottery sweepstakes, lottery, work-at-home, visa/green card, counterfeit check/money order and reshipping/package processing scams.

Also covered on the site is how to protect yourself and recover from identity theft. Many fraud victims later become a victim of identity theft when a fraudster sells all the information they've data-mined off them.

The site even contains information on child safety and human trafficking.

Backing all this up are a host of research tools for fraud, where to report it and how to take political action.

Annie is now backed up by a group of volunteers, one of whom, Karrie Brothers, assisted me with a lot of information on the current going-ons at FraudAid.

To grow this effort, Karrie and Annie are actively seeking volunteers to assist them. Being one of the few resources where a victim can turn to, they are getting a lot of business!

FraudAid gives a good explanation of why volunteers are needed and they are trying to grow their organization:

Fraud, by every measure, is one of biggest and fastest growing industries in the world.

One study values worldwide corporate fraud at over two trillion dollars. This is not counting consumer and Internet frauds for which there is no reliable assessment. Another study estimates that 6% of global product is laundered money.

The fraud industry is run by many, many skilled professionals. The anti-fraud industry is small and, by comparison, run by very few skilled professionals.

That's why if you have the skills you can make a real difference!

Fraud Aid, Inc. is a volunteer anti-fraud organization. We, as all other anti-fraud organizations, are out-numbered and need your help.

We have the frauds. Do you have the time?

To grow the organization, they are recruiting a wide range of volunteers with law enforcement, legal, IT and education experience. There are also opportunities for people with no experience, also.

Even if you think you are aware of all the fraud schemes out there, FraudAid is a great place to learn more about them. After all, if people weren't being taken in by the schemes, fraud would probably disappear pretty quickly!

If you want to learn more about FraudAid, the site can be seen, here.

Tuesday, December 04, 2007

IT Policy Compliance Group issues study on data breaches and information theft

Today, the IT Policy Compliance Group released an interesting report on the state of compliance and how it relates to the growing phenomenon of information theft and data breaches.

The IT compliance group is a non-profit organization supported by the Computer Security Institute, Institute of Internal Auditors, ISACA, IT Governance Institute, Protiviti and Symantec. The report reflects the findings of more than 450 organizations that were surveyed.

To sum up the main findings in the report:

The most recent benchmark research conducted by the IT Policy Compliance Group (IT PCG) reveals an intimate relationship between financial outcomes, sustained competitive advantage, data protection, and regulatory compliance.

The core competencies for protecting sensitive data are the result of this research and show the practices, procedures, and organizational strategies being implemented by organizations with the least loss and theft of sensitive data. A company’s ability to sustain its competitive advantage is enabled by protecting its sensitive data, resulting in better customer retention while protecting the brand and reputation of the firm. Protecting sensitive data helps a company avoid revenue loss, market capitalization loss, and unnecessary expenses.

The findings in the report show that a lot of organizations are struggling with high rates of data loss and theft. 87 percent of them suffer data losses, or theft 3-12+ times a year. The remaining 13 percent with three or less occurrences have something in common - an efficient and workable compliance program.
The organizations with the fewest occurrences focus on 30 or fewer control objectives. This is in stark contrast to the organizations with a higher occurrence rate, who focus on 80 or more control objectives.

These organizations (with the fewest occurrences) have examined their control points, carefully selected the most important ones and remain focused on them.

Organizations with the fewest occurrences inspect their control points more frequently. The most compliant organizations with the fewest occurrences inspect them an average of every 19 days. Those organizations with the most occurrences inspect their control points on an average of every 230 days.

Data breaches and information theft are getting more and more expensive for the organizations, who suffer the unfortunate experience of having one happen to them:

Financial outcomes from the loss or theft of sensitive data include customer defections, revenue declines, declines in stock price for publicly traded firms, and additional expenses (see Why Compliance Pays: Reputations and Revenues at Risk, IT PCG, July 2007). Additional financial risk results from expenses incurred for litigation, litigation settlements, consumer credit counseling, investigations, data restoration, and necessary(and after-the-fact) get-well efforts. Averaging nearly 8 percent of revenue, the expected losses from benchmarks conducted with hundreds of organizations are mirrored by actual experience.

The report points out that one shoe doesn't fit all when a data breach occurs -- but there is little doubt that the cost is rising and will continue to do so -- as more public awareness is created from all the play some of these breaches get in the media.

Also acknowledged is that despite the large amount of reported data breaches, there are many more that are never discovered.

Information is worth money, whether it is used to commit financial crimes or gain a competitive edge over another organization. These undiscovered occurrences are more valuable to the people stealing the information because nothing has been done to counter the fact that they have it.

The recent TJX data breach -- which is now being estimated by some sources at up to 100 million records lost -- has already caused TJX to claim a $118 million loss in their second quarter earnings.

A key finding in the report includes the importance of the human factor. Anyone who has studied information theft, or data breaches knows that the human factor is often what compromises information.

I've often written that no amount of security is going to stop a motivated person, who has been given access to the information.

Social engineering techniques are also used by criminals to trick employees into either giving up the information, or downloading software to compromise it by more technical means.

A good example of this is a recent study issued by the Treasury Inspector General for Tax Administration's Office. The report revealed that 60 percent of the IRS employees tested compromised sensitive information via social engineering techniques routinely employed by criminals.

According to the ITPCG report, here are the different causes of data breaches/information theft revealed by the study:

The conduits through which sensitive data is being lost and stolen include data residing on PCs, laptops, and mobile devices; data leaking through email, instant messaging, and other electronic channels; and data that is accessed through applications and databases.
Notably, most of the methods listed above require some human interface to occur.

It never ceases to amaze me when I see another report, where a laptop, tape, or disc is lost containing sensitive information. Even worse, we still see occurrences where the information was even encrypted.

A case to point would be the recent occurrence in the United Kingdom, where unprotected discs containing the information of 25 million children were being sent snail mail.

The report goes into more depth on how information theft occurs and states:

After user error, the most common contributions to data loss and theft include violations of policy, Internet threats and attacks, lost and stolen laptops, IT vulnerabilities, and insufficient controls in IT. These sources of data loss and theft can be countered with a combination of policy violation sanctions and procedural and technical controls.
The report sums it's findings up with the sources of compliance deficiencies. It's findings were that five areas are directly related to IT security, three areas are related to IT function and may relate to IT security, and two others that are directly related to procedures and may or may not involve IT.

Today, besides people, IT technology is what runs most organizations. The reason for this is obvious, it reduces costs and makes things run more efficiently. Given this, when IT technology is used improperly it has made criminals more efficient and provides them with new avenues to commit crimes.

Saying that, this report has a lot of valuable information for anyone developing a compliance program to protect this asset (information).

The report cites the Attrition.org data loss archive as a resource. This is also a valuable resource for anyone looking at the growing phenomenon of data breaches/information theft.

Here is statement of purpose for the IT Policy Compliance Group from their site:

The www.ITpolicycompliance.com web site is dedicated to promoting the development of actionable, fact-based findings that will help professionals to better meet the policy and regulatory compliance goals of their organizations. Supported by members such as the Institute of Internal Auditors, the Computer Security Institute, and Symantec (collectively known as the IT-Policy Compliance Group), the web site focuses on delivering information that will assist in improving IT compliance results based on primary benchmark research.

The full report is available on the site.

Sunday, December 02, 2007

Are criminal to criminal (C2C) networks making cyber crime too easy?

With the FBI's announcement of Operation Bot Roast II detailing the arrests of several bot-herders infecting computer systems on an International basis, it's become apparent that a lot of crime is going on with the click of a mouse.

One of the more amazing revelations to come forward from Operation Bot Roast II was that a teenager was described in the media as a "cyber crime kingpin." Most of the people arrested were under 30. This led me to wonder if our young people are getting smarter, or cyber crime is getting a lot easier to commit?

I ran into an article from ZDNet entitled, "The new battleground in cyber crime." It covered a lot of things, I already knew, but perhaps it hits on the reason cyber crime is growing at an explosive rate.

From the article written by Yuval Ben-Itzhak (originally published on News.com):

In an age where "data equals money," fortune has replaced fame as hackers' key motivation. Criminals are willing to pay top dollar for personal, financial, and corporate data collected by Trojans and other "crimeware."

The evidence is out there. Price lists discovered on the black market reveal that criminals are willing to pay $5,000 for a financial report, $500 for a credit card with PIN, and $150 for a driver's license ID.

With do-it-yourself malicious software packages available for $200, cybercriminals need neither deep pockets nor programming skills to compromise a Web site or steal sensitive financial data from an infected PC. Indeed, Finjan's security research confirms that crimeware toolkits have become cybercriminals' favorite weapon. The new business model is criminal-2-criminal (C2C)--attackers selling malicious code and stolen data to other criminal elements that profit from it.
The criminal to criminal (C2C) business model was a new term for me, but after thinking about it -- it describes exactly what we keep hearing is going on out there.

Yuval made another statement in his article, which is something I've tried to point out numerous times:

The cybercrime equation is simple: the longer the crimeware remains undetected, the higher the profit for the attackers.

When I say I've tried to point this thought out before, it was in reference to all the data breaches we see in the news. Once a data breach becomes transparent, the information probably isn't of very much use in the C2C business model, anymore.

Maybe that is why after a data breach, we rarely see anyone get caught using the information?

If this is true, the more we can monitor the C2C business model in real time, the more effective we will be in attacking the criminals behind it?

While investing a lot of resources dealing with the data breaches is probably necessary, it does little to solve the overall problem. The statistics are that once a data breach becomes transparent the information rarely gets used, if at all.

With litigation arising from some of these data breaches, the cost of revealing one is becoming cumbersome, also. I wonder what would happen if we started spending more money up-front going after what is going on right now? We might spend a lot less money cleaning up the mess, after the fact.

Unfortunately, the monetary resources allocated by most organizations to fight cyber, financial and information crime are often considered a necessary evil. The result is that the people dedicated to protecting us from these types of crimes are often some pretty over-worked individuals.

Please note that this is true in both the private and public sectors.

Couple this with certain marketing practices that make committing some of these crimes fairly easy and it's no wonder, we are facing an ever growing problem.

Perhaps, we should start rethinking how we go after this problem?

Yuval's article (which I consider an interesting read) can be seen, here.

Some of the reference material, he used in writing his article came from the security research people at Finjan. The interesting information in this report is available on the Internet, and can be seen by linking, here.

Friday, November 30, 2007

How to spot a foreclosure scam

With 1-2 million foreclosures on the horizon, we are probably going to see a lot of shady characters advertise on lamp posts, classified ads, pay-per-click advertising and spam e-mails with questionable promises to rescue people in a difficult situation.

Apparently, the mortgage crisis is now so bad some are saying it's likely to cause a recession.

Foreclosure scams have been around for a long time, predating the current mortgage crisis.

Scams rarely change very much, they tend to disappear and then resurface when there is an event that makes them viable again.

For instance, the infamous Nigerian 419 scam which is frequently in the news can be traced to what was known as the Spanish Prisoner letter, which dates back to the early 1900s.

Advance fee is one of the more popular variations of a foreclosure scam, people are asked to pay a large fee up front and then get nothing for their money.

I had a reader send me an e-mail, where this was occurring and the intended victim was being asked to wire the money. Being asked to wire the money is common in all the advance fee type scams, because once it's wired the sender has very little recourse, if any at all!

I found an interesting article on the DOJ (Department of Justice) website published in 1998 by the American Bankruptcy Institute.

The report details the following types of foreclosure scams:

For the cost of a bankruptcy filing fee, a debtor can immediately obtain one of the most powerful injunctions available under American law: the automatic stay," the foreclosure scam task force pointed out. The task force report described bankruptcy foreclosure fraud as the practice of filing for bankruptcy to delay or defraud creditors, without intending to comply with the requirements for obtaining a bankruptcy discharge or completing a repayment plan.

The foreclosure scam most commonly associated with the West Coast is the fractional interest transfer. Typically, a partial interest--perhaps 5 percent or 10 percent--in property held by a homeowner facing foreclosure is transferred to a real or fictional entity already in bankruptcy. Because the property interest is then held by a bankruptcy debtor, the original owner's creditor cannot foreclose until the bankruptcy court lifts the automatic stay.

Some scams involve fractional interests transferred with the knowledge of the original property owner. Often, however, the original owner first transfers the property to the perpetrator of a foreclosure scam, who then transfers the fractional interest without the original owner's knowledge. Sometimes a property is moved from case to case as the stay is lifted; one residential property was linked to 24 different bankruptcy cases.

The task force report explained how one homeowner facing foreclosure was persuaded by a scam perpetrator to sign deeds of trust and grant deeds transferring fractional interests in her property. The homeowner paid the foreclosure consultant several hundred dollars per month so she could stay in her home. The fractional interest recipients included apparently fictitious individuals as well as homeless persons recruited for a fee to participate; eight recipients filed for bankruptcy one after the other. Each filing stayed foreclosure on the property, causing a 10-month delay between the first filing and the completed foreclosure.

Many more variations of bankruptcy foreclosure fraud are surfacing around the country. Probably the most widespread involves the use of foreclosure notices to identify individuals facing the loss of their homes. The scam perpetrator contacts the home owner, advertising "mortgage assistance" or "foreclosure counseling" and promising to work out the home owner's problems with the mortgagee or to obtain refinancing for an up-front fee typically ranging from $250 to $850. The perpetrator may direct the home owner to "fill out some forms," including a blank bankruptcy petition, or may collect the information needed to complete a petition later. The perpetrator subsequently files a bankruptcy petition in the home owner's name, after filling in the bankruptcy papers signed by the home owner or forging the home owner's signature. The bankruptcy petition invokes the automatic stay, the imminent foreclosure is postponed, and the home owner stops receiving collection calls and letters.

In most cases, the perpetrator does not tell the home owner about the bankruptcy petition, instead convincing the home owner that foreclosure activity has ceased because mortgage problems have been worked out. The perpetrator may tell the home owner that he or she might receive a notice from the court, which should be ignored. The home owner may even be told that the perpetrator has gone to court on the home owner's behalf. No one appears at the Section 341 meeting, the case is dismissed, the foreclosure goes forward, and the home is lost.

Permutations of this scam include the perpetrator's collecting monthly mortgage payments from the homeowner, falsely stating that they will be forwarded to the mortgagee. In these cases, each defrauded homeowner pays not only the up-front fee for "services," but also hundreds or thousands of dollars in mortgage payments.

In another increasingly common alternative, the scam perpetrator convinces the home owner to quit-claim the residence to the perpetrator or to sell the residence for a nominal fee such as $1. The home owner agrees to transfer title because he or she has little or no equity in the property. The perpetrator charges the home owner "rent" or a "consultant's fee" or "management fee" to stay in the residence while the mortgage problems are worked out, after which the home owner will be able to "apply for repurchase" of the property or share the profits if the perpetrator sells the property.

But it costs money for the perpetrators to file all of these bankruptcy cases. To avoid bankruptcy filing fees, some perpetrators transfer an interest of the home owner's quit-claimed property into the name of an existing bankruptcy debtor--perhaps a Chapter 11 business debtor across the country--in a variation of the fractional interest scam. Typically, the debtor learns that a property interest has been transferred into its bankruptcy estate when it is contacted by counsel for the property owner's secured creditor, who has learned it cannot foreclose because the property is owned by a bankruptcy debtor.

Full report from the American Bankruptcy Institute, here.

Reuters video (courtesy of YouTube) did an interesting piece that is more recent. In it they offer some pretty good advice to be EXTREMELY CAREFUL before signing any documents related to your home in any of these come-ons.

The end result could be losing your home to the person, who is claiming to help you!

You can view the video below:

Operation Bot Roast II snares bot herders, worldwide!


Official FBI photo for Bot Roast II (Globe in a laptop)

This morning I read that a teenager in New Zealand had been arrested for allegedly being the kingpin behind an international cyber-crime network.

Because he was a juvenile when the crimes were being committed, the authorities aren't releasing his real name, but on the Internet he is known as "AKILL."

The Associated Press is reporting:

Police arrested the suspected teenage kingpin of an international cyber crime network accused of infiltrating 1.3 million computers and skimming millions of dollars from victims' bank accounts, officials said.

Working with the FBI and police in the Netherlands, New Zealand police arrested the 18-year-old in the North Island city of Hamilton, said Martin Kleintjes, head of the police electronic crime center. The suspect's name was not immediately available.

Kleintjes charged that the ring was responsible for stealing at least $20 million using bank account and login details detected by their illegal spyware.
I decided to do a little digging on this and the FBI announced on their site that this is part of Operation Bot Roast II.

It appears that more than a teenager is being taken down for victimizing millions of people, worldwide.

From the announcement on the FBI site:

In June, we announced the first phase of Operation Bot Roast, which pinpointed more than a million victimized computers and charged a number of individuals around the country with various cyber-related crimes.

Today, we’re announcing part two of this operation, with more results:

Three new indictments, including two this past month. In one case, we uncovered a denial of service attack on a major university in the Philadelphia area and then knocked out much of the botnet by disrupting its ability to talk to other computers.

Two previously charged criminals who pled guilty, including a California man who is a well known member of the botnet underground.

The sentencing of three others, including a pair of men who launched a major phishing scheme targeting a Midwest bank that led to millions of dollars in losses.
I discovered more information on Operation Bot Roast II in a FBI press release:

The FBI today announced the results of the second phase of its continuing investigation into a growing and serious problem involving criminal use of botnets. Since Operation 'Bot Roast' was announced last June, eight individuals have been indicted, pled guilty, or been sentenced for crimes related to botnet activity. Additionally, 13 search warrants were served in the U.S. and by overseas law enforcement partners in connection with this operation. This ongoing investigative effort has thus far uncovered more than $20 million in economic loss and more than one million victim computers.

FBI Director Robert S. Mueller, III said, "Today, botnets are the weapon of choice of cyber criminals. They seek to conceal their criminal activities by using third party computers as vehicles for their crimes. In Bot Roast II, we see the diverse and complex nature of crimes that are being committed through the use of botnets. Despite this enormous challenge, we will continue to be aggressive in finding those responsible for attempting to exploit unknowing Internet users."

The press release also has detail on the most current arrests:

1. Ryan Brett Goldstein, 21, of Ambler, Pennsylvania, was indicted on 11/01/07 by a federal grand jury in the Eastern District of Pennsylvania for botnet related activity which caused a distributed denial of service (DDoS) attack at a major Philadelphia area university. In the midst of this investigation the FBI was able to neutralize a vast portion of the criminal botnet by disrupting the botnet's ability to communicate with other botnets. In doing so, it reduced the risk for infected computers to facilitate further criminal activity. This investigation continues as more individuals are being sought.

2. Adam Sweaney, 27, of Tacoma, Washington, pled guilty on September 24, 2007 in U.S. District Court, District of Columbia, to a one count felony violation for conspiracy fraud and related activity in connection with computers. He conspired with others to send tens of thousands of email messages during a one-year period. In addition, Sweaney surreptitiously gained control of hundreds of thousands of bot controlled computers. Sweaney would then lease the capabilities of the compromised computers to others who launched spam and DDoS attacks.

3. Robert Matthew Bentley of Panama City, Florida, was indicted on 11/27/07 by a federal grand jury in the Northern District of Florida for his involvement in botnet related activity involving coding and adware schemes. This investigation is being conducted by the U.S. Secret Service.

4. Alexander Dmitriyevich Paskalov, 38, multiple U.S. addresses, was sentenced on 10/12/2007 in U.S. District Court, Northern District of Florida, and received 42 months in prison for his participation in a significant and complex phishing scheme that targeted a major financial institution in the Midwest and resulted in multi-million dollar losses.

5. Azizbek Takhirovich Mamadjanov, 21, residing in Florida, was sentenced in June 2007 in U.S. District Court, Northern District of Florida, to 24 months in prison for his part in the same Midwest bank phishing scheme as Paskalov. Paskalov established a bogus company and then opened accounts in the names of the bogus company. The phishing scheme in which Paskolov and Mamadjanov participated targeted other businesses and electronically transferred substantial sums of money into their bogus business accounts. Immigrations Customs Enforcement, Florida Department of Law Enforcement, and the Panama City Beach Police Department were active partners in this investigation.

6. John Schiefer, 26, of Los Angeles, California, agreed to plead guilty on 11/8/2007 in U.S. District Court in the Central District of California, to a four felony count criminal information. A well-known member of the botnet underground, Schiefer used malicious software to intercept Internet communications, steal usernames and passwords, and defraud legitimate businesses. Schiefer transferred compromised communications and usernames and passwords and also used them to fraudulently purchase goods for himself. This case was the first time in the U.S. that someone has been charged under the federal wiretap statute for conduct related to botnets.

7. Gregory King, 21, of Fairfield, California, was indicted on 9/27/2007 by a federal grand jury in the Central District of California on four counts of transmission of code to cause damage to a protected computer. King allegedly conducted DDoS attacks against various companies including a web based company designed to combat phishing and malware.

8. Jason Michael Downey, 24, of Dry Ridge, Kentucky, was sentenced on 10/23/2007 in U.S. District Court, Eastern District of Michigan, to 12 months in prison followed by probation, restitution, and community service for operating a large botnet that conducted numerous DDoS attacks that resulted in substantial damages. Downey operated Internet Relay Chat (IRC) network Rizon. Downey stated that most of the attacks he committed were on other IRC networks or on the people that operated them. Downey's targets of DDoS often resided on shared servers which contained other customer's data. As a result of DDoS to his target, innocent customers residing on the same physical server also fell victim to his attacks. One victim confirmed financial damages of $19,500 as a result of the DDoS attacks.
Recently, I did a post, Botnet owner faces 60 years in prison and a $1.75 million fine, which is about about John Schiefer (above).

The amount of damage bot herders have caused millions of people on the Internet is astounding. Even when you consider the amount of spam, the average Internet user has to deal with on a daily basis, these current arrests are good news for the Internet community. Spam is the vehicle in which most scams, misleading advertising and counterfeit goods are spread in the electronic world.

The FBI press release mentioned some great resources where the average person can learn how to avoid becoming the victim of a bot herder.

In closing, I would like to pass them on:

http://www.fbi.gov/
http://www.onguardonline.gov/
http://www.lookstoogoodtobetrue.com/
http://www.uscert.gov/
http://www.ic3.gov/

One not mentioned that is great (my opinion) is http://www.fakechecks.org/. A lot of the scams involving counterfeit checks start with a spam e-mail AND most spam is spread using botnets.

AP article on New Zealand teenage bot herder, here.

FBI press release on Bot Roast II, here.

Thursday, November 29, 2007

American Greetings draws a line in the sand against ecard scams!

Recently, we've seen electronic greeting cards (ecards) loaded with malicious software sent out by the millions in spam e-mails. For the person, who accidentally opens one up, the end result is (probably) an unfortunate experience of one kind or another.

With the holidays upon us and spam levels increasing, we will more than likely see another rash of ecard spam (scams).

The unfortunate experiences range from having your system turned into a zombie (part of a botnet to send out more spam e-mails) to having all your personal details recorded with keylogging software and sent to scammers, who use it to make you an identity theft statistic.

Of course, people are also often tricked into giving up their details via social engineering techniques, also.

Symantec recently issued findings that 71 percent of all e-mails are spam. Breaking it down further, spam is the preferred vehicle to further fraud, phishing and financial misdeeds on the Internet.

Going back to the ecard scam phenomenon, a warm wish from someone is a pretty sneaky form of social engineering (deception) designed to trick someone into downloading something on their system they shouldn't have.

In response to this, American Greetings, recently launched a campaign to educate the common person how to tell if the greeting they receive is from a friend or a foe.

Here are some information bytes from their new page about what they have done to stop ecard scams:

AmericanGreetings.com has changed the format of all ecard notification emails sent to ecard recipients. Now legitimate ecard notification emails from us will have all of the following attributes:

The "from" will always show "Ecard from AmericanGreetings.com" as the display name and ecards@americangreetings.com as the email address. Make sure you check both the display name and email address of the email.

It should appear as the following: "Ecard from AmericanGreetings.com"

The subject line will always include the name of the individual sending the ecard. Make sure you recognize the individual in the subject line before clicking on any links. It should appear as the following:"John Smith has sent you an ecard from AmericanGreetings.com" ("John Smith" is the individual sending the ecard to you).

The email message will include the name and email address of the sender. Make sure you recognize the individual in the email message before clicking on any links.

We have made it easier to find the ecard pickup area on our site, so you can quickly and safely view your greeting without clicking on any email links. On AmericanGreetings.com, it is now located in the upper right-hand corner of the homepage (americangreetings.com)

They also offer some sage advice on how to avoid becoming a victim:

First and foremost, if there is any suspicion that you have received a fraudulent ecard email, do not click on any link.

If you have any doubt who the email is from, manually type in www.americangreetings.com after the http:\\ found in your Internet browser.

Then find the ecard pickup link (ours is found in the upper right-hand corner of our homepage: www.americangreetings.com) to safely view your ecard.
Last, but not least some pretty informative information on ecard scams in general:

A wide variety of websites and brands have been affected. While the subject line of the malicious ecard email tends to be generic, such as "You've received an ecard from a class-mate!" or "You've received a postcard from a family member," more recent examples include brand-specific messaging such as "Worshipper sent you a postcard from americangreetings.com." Also, the pickup link within a malicious ecard email is most likely always an IP address, such as 127.0.0.1, which is much different than the typically used pickup link from a legitimate ecard sender that starts off with the host name (e.g., americangreetings.com) and not a series of numbers. As of August 23rd, we have started observing fake emails where the link shows a host name (e.g., http://www.americangreetings.com) but the actual link goes to an IP address instead of americangreetings.com. To see if there is an IP address associated with the link, hover over it with your cursor. If you see a URL when hovering over the link that has a series of numbers, such as http://89.678.999.12, it is not a legitimate link and you should not click on it.
If you are interested in viewing the rest of this resource before you open an ecard, the page on their site can be seen, here.

Of note, they have some pretty good visual demonstrations that can be seen on the page.

Wednesday, November 28, 2007

Search warrant of credit card fraudster's house reveals 185,000 stolen social security numbers from the VA


(DMV photo of Kim from the OC Register)

Not sure what's wrong with this picture, but it was recently discovered that a suspected gang member (Tae Kim) got himself a job as an auditor at the Veteran's Administration, despite the fact he had a criminal record, and stole 185,000 social security numbers.

The stolen social security numbers were discovered when a search warrant was done at his house after he was implicated for using stolen (skimmed) credit card information at a jewelry store.

One of the credit cards used contained the skimmed information of Marlon Wayans, a well-known actor.

Erika M. Torres of the OC Register reports:

A man who purchased $5,600 in jewelry at a store in Tustin using three fraudulent credit cards, one belonging to actor Marlon Wayans, was arrested Thursday in Los Angeles after a months-long investigation, said Tustin police Lt. John Strain.

The investigation also uncovered from his home computer about 1.8 million Social Security numbers from the U.S. Department of Veteran Affairs, where Kim had been employed as an auditor. Veterans Affairs' officials have said only 185,000 numbers are at risk because many were repeated in the file.

Apparently Kim quit his job at the Veteran's Administration after finding out that they planned to do a criminal background check on him.

Pretty scary that a federal agency doesn't vet their employees before hiring them and then gives them access to personal and confidential information.

While data breaches are daily staples in the news, this story might suggest there are many smaller ones that no one knows about.

Given that Kim is suspected of being a member of the Koreatown gangsters and was caught using counterfeit credit cards, I wonder if he was intentionally planted at the VA for the purpose of stealing information?

In the information theft world, it wouldn't be the first time a criminal outfit planted someone in an organization with the intent of stealing information.

Bob Sullivan at MSNBC did an article in 2004 quoting studies that showed that a large amount of the information stolen was due to insider theft, here.

Another more recent story in the news is an employee at Certegy, who is now pleading guilty to stealing 2.5 million peoples information, here.

OC Register Story on Mr. Kim, here.

This isn't the first time the Veteran's Administration has been the subject of sloppy security:

In May of 2006, they lost a laptop with 26.5 million people's information from an employee's house. It was later found and the FBI stated they were pretty sure that none of the information had been used.

In August of 2006, it was reported that one of their vendors lost a laptop with 38,000 people's information on it.

Tuesday, November 27, 2007

Dishonest Certegy employee strikes plea agreement for selling 8.5 million people's information

Certegy wasn't the largest data breach reported this year, it only compromised a mere 8.5 million people.

What was troublesome -- for the people compromised at least -- was the fact that their personal and financial information was sold to entities that still haven't been disclosed. The financial information I'm referring to included checking, credit card and debit card account information.

Yesterday, it was announced that the dishonest Certegy employee involved, one William Sullivan agreed to plead guilty for what is what is being termed a "reduced sentence."

Marjorie Manning of the Jacksonville Business Journal wrote:

Sullivan faces up to five years in prison and a fine of $250,000 on each count, although the U.S. Attorney's office will recommend a shorter sentence because of Sullivan's acceptance of responsibility, the plea agreement said.

Sullivan also will be required to make restitution to Fidelity, the filing said.

Sentencing was scheduled for Nov. 21, but Sullivan's attorney has asked the court for a delay because of the attorney's travel plans over the Thanksgiving holiday.

Fidelity has said that it has no evidence of the stolen information being used for anything other than marketing purposes, but the company faces several class action lawsuits alleging damage as a consequence of the theft.
Even more amazing, many months into this, the data broker who bought the information from Sullivan is merely listed in the legal proceedings as a "co-conspirator."

Here is a snippet from the article about the co-conspirator:

The scheme was broader than initially disclosed July 3 by FIS. According to court documents, Sullivan agreed with the co-conspirator to steal the consumer information beginning in at least 2002, and Sullivan was paid more than $580,000 over the course of the conspiracy for the data.
FIS (Fidelity National Information Services Inc.) is Certegy's parent company.

I did a few posts on the breach, shortly after it occurred and a lot of angry people left comments on them. Some of them seemed to disagree with the official statement that the information was never used.

Here are the posts:

Not to worry, check processing company (Certegy) believes the 2.3 million stolen records will not be used for fraud!

Certegy reveals their data breach is a lot larger than originally reported

Class action law suit filed against Certegy for data breach

In all fairness, it's hard to vet the comments I get on a post. That being said, I saw a lot of angry people leave some pretty interesting comments.

Couple this with the fact that the information broker (named as a co-conspirator) hasn't been named yet and the story leaves a lot of details, which remain a mystery.

The article doesn't seem to specify how many counts Sullivan is pleading guilty to. Hopefully once the sentence is announced, we aren't going to have a lot of victims (8.5 million of them) feeling like he got a slap on the wrist!